|
| 1 | +package cli |
| 2 | + |
| 3 | +import ( |
| 4 | + "fmt" |
| 5 | + "sort" |
| 6 | + |
| 7 | + corecommon "github.com/jfrog/jfrog-cli-core/v2/docs/common" |
| 8 | + flags "github.com/jfrog/jfrog-cli-security/cli/docs" |
| 9 | + dockerScanDocs "github.com/jfrog/jfrog-cli-security/cli/docs/scan/dockerscan" |
| 10 | + "github.com/jfrog/jfrog-client-go/utils/log" |
| 11 | + cliCommand "github.com/urfave/cli" |
| 12 | +) |
| 13 | + |
| 14 | +const ( |
| 15 | + // Security Commands Keys |
| 16 | + Dockerscan = "dockerscan" |
| 17 | + |
| 18 | + // Indexer Flags |
| 19 | + BypassArchiveLimits = "bypass-archive-limits" |
| 20 | + |
| 21 | + // Output Data Flags |
| 22 | + OutputFormat = "format" |
| 23 | + DetailedSummary = "detailed-summary" |
| 24 | + FixableOnly = "fixable-only" |
| 25 | + MinSeverity = "min-severity" |
| 26 | + ExtendedTable = "extended-table" |
| 27 | + |
| 28 | + // Security Flags |
| 29 | + Fail = "fail" |
| 30 | + Watches = "watches" |
| 31 | + RepoPath = "repo-path" |
| 32 | + Vuln = "vuln" |
| 33 | + scanPrefix = "scan-" |
| 34 | + buildPrefix = "build-" |
| 35 | + BuildVuln = buildPrefix + Vuln |
| 36 | + ScanVuln = scanPrefix + Vuln |
| 37 | + Licenses = "licenses" |
| 38 | + |
| 39 | + //JAS Flags |
| 40 | + Sca = "sca" |
| 41 | + Iac = "iac" |
| 42 | + Sast = "sast" |
| 43 | + Secrets = "secrets" |
| 44 | + WithoutCA = "without-contextual-analysis" |
| 45 | + SecretValidation = "secret-validation" |
| 46 | + |
| 47 | + // General Flags |
| 48 | + Project = "project" |
| 49 | + ServerId = "server-id" |
| 50 | +) |
| 51 | + |
| 52 | +var flagsMap = map[string]cliCommand.Flag{ |
| 53 | + // Common commands flags |
| 54 | + ServerId: cliCommand.StringFlag{ |
| 55 | + Name: ServerId, |
| 56 | + Usage: "[Optional] Server ID configured using the config command.", |
| 57 | + }, |
| 58 | + // Scan flags |
| 59 | + Watches: cliCommand.StringFlag{ |
| 60 | + Name: Watches, |
| 61 | + Usage: "[Optional] A comma-separated(,) list of Xray watches, to determine Xray's violations creation.` `", |
| 62 | + }, |
| 63 | + MinSeverity: cliCommand.StringFlag{ |
| 64 | + Name: MinSeverity, |
| 65 | + Usage: "[Optional] Set the minimum severity of issues to display. The following values are accepted: Low, Medium, High or Critical.` `", |
| 66 | + }, |
| 67 | + FixableOnly: cliCommand.BoolFlag{ |
| 68 | + Name: FixableOnly, |
| 69 | + Usage: "[Optional] Set to true if you wish to display issues that have a fixed version only.` `", |
| 70 | + }, |
| 71 | + ExtendedTable: cliCommand.BoolFlag{ |
| 72 | + Name: ExtendedTable, |
| 73 | + Usage: "[Optional] Set to true if you'd like the table to include extended fields such as 'CVSS' & 'Xray Issue Id'. Ignored if provided 'format' is not 'table'.", |
| 74 | + }, |
| 75 | + BypassArchiveLimits: cliCommand.BoolFlag{ |
| 76 | + Name: BypassArchiveLimits, |
| 77 | + Usage: "[Optional] Set to true to bypass the indexer-app archive limits.", |
| 78 | + }, |
| 79 | + Project: cliCommand.StringFlag{ |
| 80 | + Name: Project, |
| 81 | + Usage: "[Optional] JFrog Artifactory project key.", |
| 82 | + }, |
| 83 | + RepoPath: cliCommand.StringFlag{ |
| 84 | + Name: RepoPath, |
| 85 | + Usage: "[Optional] Target repo path, to enable Xray to determine watches accordingly.", |
| 86 | + }, |
| 87 | + Licenses: cliCommand.BoolFlag{ |
| 88 | + Name: Licenses, |
| 89 | + Usage: "[Optional] Set to true if you'd like to receive licenses from Xray scanning.", |
| 90 | + }, |
| 91 | + Fail: cliCommand.BoolFlag{ |
| 92 | + Name: Fail, |
| 93 | + Usage: fmt.Sprintf("[Optional] When using one of the flags --%s, --%s or --%s and a 'Fail build' rule is matched, the command will return exit code 3. Set to false if you'd like to see violations with exit code 0.", Watches, Project, RepoPath), |
| 94 | + }, |
| 95 | + OutputFormat: cliCommand.StringFlag{ |
| 96 | + Name: OutputFormat, |
| 97 | + Usage: "Defines the output format of the command. Acceptable values are: table, json, simple-json and sarif. Note: the json format doesn't include information about scans that are included as part of the Advanced Security package.", |
| 98 | + }, |
| 99 | + //JAS Flags |
| 100 | + Sca: cliCommand.BoolFlag{ |
| 101 | + Name: Sca, |
| 102 | + Usage: fmt.Sprintf("Selective scanners mode: Execute SCA (Software Composition Analysis) sub-scan. By default, runs both SCA and Contextual Analysis. Can be combined with --%s, --%s, --%s, and --%s.", Secrets, Sast, Iac, WithoutCA), |
| 103 | + }, |
| 104 | + Iac: cliCommand.BoolFlag{ |
| 105 | + Name: Iac, |
| 106 | + Usage: fmt.Sprintf("Selective scanners mode: Execute IaC sub-scan. Can be combined with --%s, --%s and --%s.", Sca, Secrets, Sast), |
| 107 | + }, |
| 108 | + Sast: cliCommand.BoolFlag{ |
| 109 | + Name: Sast, |
| 110 | + Usage: fmt.Sprintf("Selective scanners mode: Execute SAST sub-scan. Can be combined with --%s, --%s and --%s.", Sca, Secrets, Iac), |
| 111 | + }, |
| 112 | + Secrets: cliCommand.BoolFlag{ |
| 113 | + Name: Secrets, |
| 114 | + Usage: fmt.Sprintf("Selective scanners mode: Execute Secrets sub-scan. Can be combined with --%s, --%s and --%s.", Sca, Sast, Iac), |
| 115 | + }, |
| 116 | + WithoutCA: cliCommand.BoolFlag{ |
| 117 | + Name: WithoutCA, |
| 118 | + Usage: fmt.Sprintf("Selective scanners mode: Disable Contextual Analysis scanner after SCA. Relevant only with --%s flag.", Sca), |
| 119 | + }, |
| 120 | + SecretValidation: cliCommand.BoolFlag{ |
| 121 | + Name: SecretValidation, |
| 122 | + Usage: fmt.Sprintf("Selective scanners mode: Execute Token validation sub-scan on secrets. Relevant only with --%s flag.", Secrets), |
| 123 | + }, |
| 124 | + // Git Flags |
| 125 | + DetailedSummary: cliCommand.BoolFlag{ |
| 126 | + Name: DetailedSummary, |
| 127 | + Usage: "[Optional] Set to true to get a contributors detailed summary.", |
| 128 | + }, |
| 129 | +} |
| 130 | + |
| 131 | +var commandFlags = map[string][]string{ |
| 132 | + Dockerscan: { |
| 133 | + BypassArchiveLimits, DetailedSummary, ExtendedTable, Fail, |
| 134 | + FixableOnly, OutputFormat, Licenses, MinSeverity, Project, RepoPath, |
| 135 | + ServerId, Vuln, Watches, Secrets, SecretValidation, |
| 136 | + }, |
| 137 | +} |
| 138 | + |
| 139 | +func GetSecurityHelpCommands() []cliCommand.Command { |
| 140 | + return []cliCommand.Command{ |
| 141 | + { |
| 142 | + // this command is hidden and have no logic, it will be run to provide 'help' as a part of the buildtools CLI for 'docker' commands. ('jf docker scan') |
| 143 | + // CLI buildtools will run the command if requested: https://github.com/jfrog/jfrog-cli/blob/v2/buildtools/cli.go |
| 144 | + Name: dockerScanCmdHiddenName, |
| 145 | + Flags: GetCommandFlags(flags.DockerScan), |
| 146 | + Usage: dockerScanDocs.GetDescription(), |
| 147 | + HelpName: corecommon.CreateUsage("docker scan", dockerScanDocs.GetDescription(), dockerScanDocs.Usage), |
| 148 | + UsageText: dockerScanDocs.GetArguments(), |
| 149 | + ArgsUsage: dockerScanDocs.GetArguments(), |
| 150 | + Hidden: true, |
| 151 | + }, |
| 152 | + } |
| 153 | +} |
| 154 | + |
| 155 | +func GetCommandFlags(cmd string) []cliCommand.Flag { |
| 156 | + flagList, ok := commandFlags[cmd] |
| 157 | + if !ok { |
| 158 | + log.Error("The command \"", cmd, "\" is not found in commands flags map.") |
| 159 | + return nil |
| 160 | + } |
| 161 | + return buildAndSortFlags(flagList) |
| 162 | +} |
| 163 | + |
| 164 | +func buildAndSortFlags(keys []string) (flags []cliCommand.Flag) { |
| 165 | + for _, flag := range keys { |
| 166 | + flags = append(flags, flagsMap[flag]) |
| 167 | + } |
| 168 | + sort.Slice(flags, func(i, j int) bool { return flags[i].GetName() < flags[j].GetName() }) |
| 169 | + return |
| 170 | +} |
0 commit comments